General
-
Target
WizWormUPDATE.exe
-
Size
37.7MB
-
Sample
250325-z959fasyct
-
MD5
db0969723ce55d07ab0931a320411ce1
-
SHA1
d89183adedd94cfba95c0cf619d004d94158849d
-
SHA256
fa796ccbdb277c07688707b0c3cd6fe44848d77e25cadce285d03c45a6e32f37
-
SHA512
b0c48339444d2f52489a42779045b72c69c722a9fde79932016345160a715a1d5e7482ce02c4b8506a8645ae4507ed6c17864f4d74e8d87e2810ff76bbeff08d
-
SSDEEP
786432:drSR8JgzXVQBpoXSHl2gHHeQ7pEHe2RwSU7QvYppG9fJU0a1uzXE26Ef/:d2brV0pHHHe6EHe2uXAYpcfa1uV/
Static task
static1
Behavioral task
behavioral1
Sample
WizWormUPDATE.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
WizWormUPDATE.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
xworm
127.0.0.1:5552
OBV89v4uzmGcZD3l
-
Install_directory
%Temp%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/D2tS0Xe2
Targets
-
-
Target
WizWormUPDATE.exe
-
Size
37.7MB
-
MD5
db0969723ce55d07ab0931a320411ce1
-
SHA1
d89183adedd94cfba95c0cf619d004d94158849d
-
SHA256
fa796ccbdb277c07688707b0c3cd6fe44848d77e25cadce285d03c45a6e32f37
-
SHA512
b0c48339444d2f52489a42779045b72c69c722a9fde79932016345160a715a1d5e7482ce02c4b8506a8645ae4507ed6c17864f4d74e8d87e2810ff76bbeff08d
-
SSDEEP
786432:drSR8JgzXVQBpoXSHl2gHHeQ7pEHe2RwSU7QvYppG9fJU0a1uzXE26Ef/:d2brV0pHHHe6EHe2uXAYpcfa1uV/
-
Chaos Ransomware
-
Chaos family
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1